Cyber Security & the Hidden Risks of M&A

We were in the middle of a Security Program Assessment (SPA) for a technology company when the client’s cyber security team began to ask my colleagues and I for advice on a big problem they were facing. Their company had recently acquired a similar company and was moving to merge the IT infrastructures and establish two-way trust between the networks. But the buyer’s cyber security team had discovered a significant hurdle: the acquisition target was riddled with malware, probably hosting persistent intruders, and had been operating with very little policy or prevention/detection tools for some time. It would take a lot of money and time to clean up the acquired company’s environment – costs that should have been factored into the purchase.

It turned out the buyer’s cyber security team was not part of assessing the acquisition for their company, and only heard about the deal later, so the purchase was made without accounting for cyber security risk. Nobody had done the due diligence work that would have picked up on the problems.

Depending on the size of the deal and the extent of the seller’s weaknesses, not properly scoping the target company’s cyber security posture can turn a good deal into a bad one. Yet information security has rarely been a part of M&A due diligence.

Stories like these are the reason Mandiant has created a new service offering, the Mergers and Acquisitions Risk Assessment.

The M&A Security Assessment draws on our knowledge of advanced threat actors, experience responding to security breaches, and extensive expertise evaluating security programs to help organizations assess and reduce risk and address potential security gaps throughout the merger or acquisition process.

This assessment is designed for organizations looking for a rapid cyber security risk assessment as part of an M&A process. This week-long engagement analyzes and measures the acquisition’s environment and risk levels across four critical security domains. After the analysis, our consultants deliver a report outlining their findings and recommendations.

As we were finishing our SPA, the client’s IT and security teams were beginning to consider essentially “burning down” the acquired company’s infrastructure (network perimeter to endpoints) and starting from scratch. A painful lesson for that technology company, but one that doesn’t have to be repeated each time there is an M&A.